Firewall Wizards mailing list archives
Re: firewall-wizards Digest, Vol 40, Issue 6
From: <jamesworld () intelligencia com>
Date: Fri, 21 Aug 2009 11:27:48 -0500
Yes, this is easy. You need an extra an extra address on the outside to create a static nat for.Then you need to allow the traffic to that IP address (udp/500, udp/4500, ESP) by way of an access-list.
It would look something like below. 192.0.0.20 is an example outside address 10.5.5.5 is an example inside address (vpn terminating device) inside is assumed. It could be any other interface (for the static command) Configuration -------------------- static (inside,outside) 192.0.0.20 10.5.5.5 netmask 255.255.255.255 access-list acl-outside-in permit udp any host 192.0.0.20 eq 500 access-list acl-outside-in permit udp any host 192.0.0.20 eq 4500 access-list acl-outside-in permit esp any host 192.0.0.20 access-group acl-outside-in in interface outside At 11:00 AM 8/21/2009, firewall-wizards-request () listserv icsalabs com wrote:
Message: 1 Date: Wed, 19 Aug 2009 13:52:53 -0400 From: Dan Ritter <dsr () tao merseine nu> Subject: [fw-wiz] PIX in multiple IPsec roles To: firewall-wizards () listserv icsalabs com Message-ID: <20090819175253.GZ23234 () tao merseine nu> Content-Type: text/plain; charset=us-ascii Is there a plausible way to convince a PIX to pass through an IPsec tunnel to another device while simultaneously being an endpoint for a different tunnel? I have sites A, B, and C. Each has a PIX515E with tunnels to the other two sites. Now a vendor wants to establish a tunnel to a device inside PIX A. I seem to be lacking the right keywords to search for this. -dsr-
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: firewall-wizards Digest, Vol 40, Issue 6 jamesworld (Aug 23)
- Re: firewall-wizards Digest, Vol 40, Issue 6 Dan Ritter (Aug 25)